Added URL parser

Author: eldadfux

app/(main)/threads/[id]/thread-client-page.tsx

@@ -15,6 +15,7 @@ import { Avatar, AvatarFallback, AvatarImage } from "@/components/ui/avatar"
 import { Button } from "@/components/ui/button"
 import { Clock, TrendingUp, Reply, ChevronDown, ChevronUp, Trash2 } from "lucide-react"
 import { BotLabel } from "@/components/bot-label"
+import { ParsedText } from "@/components/parsed-text"
 
 interface ThreadClientPageProps {
   article: NewsItem
@@ -99,7 +100,9 @@ const CommentItem = memo<CommentItemProps>(({
           <span className="text-gray-500">•</span>
           <span className="text-gray-500 text-xs">{comment.timeAgo}</span>
         </div>
-        <div className="text-gray-700 text-sm mb-3 whitespace-pre-wrap">{comment.text}</div>
+        <div className="mb-3">
+          <ParsedText text={comment.text} />
+        </div>
 
         <div className="flex items-center gap-3">
           <CommentVote

components/comments-section.tsx

@@ -16,6 +16,7 @@ import { handleVote } from "@/lib/voteHandler"
 import { deleteComment } from "@/lib/commentHandler"
 import { ArrowUpDown, Clock, TrendingUp, Reply, X, Trash2 } from "lucide-react"
 import { BotLabel } from "@/components/bot-label"
+import { ParsedText } from "@/components/parsed-text"
 
 interface CommentItemProps {
   comment: Comment
@@ -121,7 +122,7 @@ const CommentItem: React.FC<CommentItemProps> = ({
           )}
 
         </div>
-        <p className={`text-gray-700 mt-1 text-sm ${isMobile ? 'mt-0.5 text-xs' : 'mt-1'}`}>{comment.text}</p>
+        <ParsedText text={comment.text} />
 
         {/* Action Buttons */}
         <div className={`flex items-center gap-3 mt-2 ${isMobile ? 'gap-1.5 mt-1' : 'gap-3 mt-2'}`}>

components/parsed-text.tsx

@@ -0,0 +1,22 @@
+"use client"
+
+import { parseUrlsInText } from "@/lib/urlParser"
+
+interface ParsedTextProps {
+  text: string
+  className?: string
+}
+
+/**
+ * React component for rendering parsed text with links
+ */
+export function ParsedText({ text, className = "text-gray-700 text-sm whitespace-pre-wrap" }: ParsedTextProps) {
+  const parsedHtml = parseUrlsInText(text)
+  
+  return (
+    <div 
+      className={className}
+      dangerouslySetInnerHTML={{ __html: parsedHtml }}
+    />
+  )
+}

lib/urlParser.ts

@@ -0,0 +1,148 @@
+/**
+ * Secure URL parsing utility for comments
+ * Handles URL detection, validation, and safe link generation with SEO protection
+ */
+
+// Allowed URL schemes for security
+const ALLOWED_SCHEMES = ['http:', 'https:', 'mailto:']
+const ALLOWED_PROTOCOLS = ['http', 'https', 'mailto']
+
+// Maximum URL length to prevent abuse
+const MAX_URL_LENGTH = 2048
+
+// Regex patterns for URL detection
+const URL_REGEX = /(https?:\/\/[^\s<>"{}|\\^`[\]]+)/gi
+const EMAIL_REGEX = /([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})/gi
+
+/**
+ * Validates if a URL is safe and allowed
+ */
+function isValidUrl(url: string): boolean {
+  try {
+    const parsedUrl = new URL(url)
+    
+    // Check if scheme is allowed
+    if (!ALLOWED_SCHEMES.includes(parsedUrl.protocol)) {
+      return false
+    }
+    
+    // Check URL length
+    if (url.length > MAX_URL_LENGTH) {
+      return false
+    }
+    
+    // Additional security checks
+    // Prevent javascript: and data: URLs
+    if (url.toLowerCase().startsWith('javascript:') || 
+        url.toLowerCase().startsWith('data:') ||
+        url.toLowerCase().startsWith('vbscript:') ||
+        url.toLowerCase().startsWith('file:')) {
+      return false
+    }
+    
+    // Check for suspicious patterns
+    const suspiciousPatterns = [
+      /javascript:/i,
+      /data:/i,
+      /vbscript:/i,
+      /file:/i,
+      /<script/i,
+      /on\w+\s*=/i, // onclick, onload, etc.
+    ]
+    
+    for (const pattern of suspiciousPatterns) {
+      if (pattern.test(url)) {
+        return false
+      }
+    }
+    
+    return true
+  } catch {
+    return false
+  }
+}
+
+/**
+ * Validates if an email address is safe
+ */
+function isValidEmail(email: string): boolean {
+  // Basic email validation
+  const emailPattern = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/
+  return emailPattern.test(email) && email.length <= 254
+}
+
+/**
+ * Sanitizes text to prevent XSS attacks
+ */
+function sanitizeText(text: string): string {
+  return text
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#x27;')
+    .replace(/\//g, '&#x2F;')
+}
+
+/**
+ * Creates a safe link element with SEO protection
+ */
+function createSafeLink(url: string, text: string): string {
+  const sanitizedUrl = sanitizeText(url)
+  const sanitizedText = sanitizeText(text)
+  
+  return `<a href="${sanitizedUrl}" 
+              target="_blank" 
+              rel="noopener noreferrer nofollow" 
+              class="text-blue-600 hover:text-blue-800 underline break-words"
+              title="External link">${sanitizedText}</a>`
+}
+
+/**
+ * Creates a safe mailto link
+ */
+function createSafeMailtoLink(email: string): string {
+  const sanitizedEmail = sanitizeText(email)
+  
+  return `<a href="mailto:${sanitizedEmail}" 
+              class="text-blue-600 hover:text-blue-800 underline break-words"
+              title="Send email">${sanitizedEmail}</a>`
+}
+
+/**
+ * Parses text and converts URLs and emails to safe clickable links
+ */
+export function parseUrlsInText(text: string): string {
+  if (!text || typeof text !== 'string') {
+    return ''
+  }
+  
+  let result = text
+  
+  // First, handle URLs
+  result = result.replace(URL_REGEX, (match) => {
+    if (isValidUrl(match)) {
+      return createSafeLink(match, match)
+    }
+    return match // Return original if invalid
+  })
+  
+  // Then, handle email addresses
+  result = result.replace(EMAIL_REGEX, (match) => {
+    if (isValidEmail(match)) {
+      return createSafeMailtoLink(match)
+    }
+    return match // Return original if invalid
+  })
+  
+  return result
+}
+
+/**
+ * Hook for parsing URLs in text (for use in forms, etc.)
+ */
+export function useUrlParser() {
+  return {
+    parseUrls: parseUrlsInText
+  }
+}